Can Ethereum Out-Engineer the Censors by 'Shuttering' the Beacon Chain?

In a previous edition of the Valid Points newsletter, we dove headfirst into the debate around censorship on Ethereum. We focused on the role that validators – the computers that propose blocks of transactions on Ethereum’s upcoming proof-of-stake network – might play in censoring transactions.

The censorship debate sprang up in response to the recent U.S. sanctions against Tornado Cash – the Ethereum mixer program used by money launderers and everyday Ethereum users to send and receive money without leaving a clear trail.

In light of concerns that Ethereum’s transactions might be censored, members of the Ethereum community have been discussing ways the core protocol can be engineered to make censorship difficult – or even impossible.

One of the more compelling ideas for how this might work is a “shutterized Beacon Chain” – a proposal that encrypts key transaction details so they cannot be censored by validators. But Martin Köppelman, the creator of this idea, isn’t so sure that censorship is a problem that the Ethereum community can code its way out of.

This article originally appeared in Valid Points, CoinDesk’s weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets. Subscribe to get it in your inbox every Wednesday.

For a community used to engineering its way out of (and into) problems, this may be a hard pill to swallow.

Censorship on Ethereum

The fear two weeks ago was that major validators such as Coinbase (COIN) and Kraken might censor transactions in accordance with U.S. Treasury Dept. sanctions. This potential for censorship was all the more worrisome given that a few validators control a majority of the “stake” (read: power to process transactions) on Ethereum’s soon-to-arrive proof-of-stake network.

But in the last couple of weeks, much has changed.

On the positive side for those opposed to censorship, Coinbase and other big-name validators have clarified their position on how they will handle sanctioned transactions. Most (but not all) responses have echoed that of Coinbase CEO Brian Armstrong, who says he would sooner end his company’s staking business than succumb to censorship.

But on the negative side, a whole new set of questions has cropped up around whether transactions can be blocked before they are even sent by validators.

These challenges center around MEV-Boost, a piece of middleware that most validators are expected to use come the Merge.

MEV: Maximal extractable value

Before we continue we’ll need to explain one of the critical challenges plaguing Ethereum and other blockchain networks: MEV.

When an Ethereum user issues a transaction, it’s not automatically accepted by the rest of the network. First, it goes to the so-called mempool – a giant bucket of unconfirmed transactions from other Ethereum users.

Recall that a block is just a glorified list of transactions. Validators scan, select and organize mempool transactions into blocks that they propose out to the wider network. If they’re clever, they’ll do this in a way that extracts a bit of extra profit for themselves – a concept called Maximal (or Miner) Extractable Value, or MEV.

Validators aren’t the only actors squeezing out MEV. So-called “searchers” have also emerged – computers that scan the mempool and preview what transactions are upcoming. They then bribe validators (by issuing transactions with a higher fee, or “tip”) to include their own transactions ahead of others that they expect to impact the market.

Read more: Just-In-Time Liquidity: How MEV Can Enhance DeFi on Ethereum

MEV practices range from benign to malicious. On the more malicious end, searchers and validators can use their future-telling abilities to screw over other market participants.

Take sandwich attacks, for example. Say a searcher sees in the mempool that “Bob” is about to buy a bunch of DAI on a particular exchange. The searcher knows that Bob’s transaction will increase the price of DAI, so the searcher buys up a bunch of DAI for itself right before Bob does. Then, after Bob pumps the price of DAI, the searcher dumps the DAI tokens that it just bought while the price was lower.

The searcher, if they are clever, will net out with a profit. Bob, on the other hand, will probably pay a bit extra for DAI as a result of the searcher’s initial purchase. No fun.

MEV-Boost

MEV-Boost makes a bet that MEV, if it can’t be exterminated, can at least be more equitable. Flashbots, its creator, achieves this by separating the actors who build blocks from the validators who propose them out to the wider Ethereum network.

Builders – not validators – do the complicated optimization work of selecting and ordering transactions into blocks in a way that maximizes MEV. If everyone uses MEV-Boost, the thinking goes, then at least everyone will have a fair shot at extracting MEV.

Read more: Are Block Builders the Key to Solving Ethereum’s MEV Centralization Woes?

“Proposer builder separation” will eventually be baked into Ethereum’s core code, but MEV-Boost is a stopgap solution. To make things work, it relies on centralized “relays” to send blocks from builders to proposers.

And this is where the whole issue of censorship comes into play. Flashbots says that its own relay – the default relay that will be shipped with MEV-Boost – will censor transactions in accordance with Tornado Cash sanctions.

Unsurprisingly, the wider Ethereum community was not happy to hear this.

In response to community backlash, the team opted to make open source its relay software earlier than originally planned. This means other parties will be able to set up non-censoring relays when MEV-Boost launches. Validators will have the option of selecting whether they want to use the censored or uncensored relay option.

Even though uncensored relays will be optional, that’s all they’ll be: optional. For anti-censorship hardliners – which includes many of Ethereum’s core developers – this is not enough.

Shutterized Beacon Chain

With all this controversy around censoring validators, relays and software providers emerges a key question: What if censorship could be engineered out of existence?

In a world where “trustlessness” is a core tenet, such a utopian ideal becomes appealing.

Enter, shutterized Beacon Chain.

In a research proposal this past March, authors framed the shutterized Beacon Chain concept as a way to solve the MEV problem.

The proposal introduced a new Ethereum transaction: transactions that are encrypted when they go to the mempool.

Outside of limited information (like the “tip” that a transaction includes for validators to ensure it gets added to a block), other core details – like who is sending a transaction, who is on the receiving end and the quantity of tokens changing hands – are hidden from searchers and block builders.

Only after a transaction is approved and confirmed on-chain will its content become unencrypted.

The idea was originally proposed by Martin Köppelman, the founder of Gnosis Chain.

“The concept of a shutterized Beacon Chain, in general, is that we separate transaction inclusion from transaction execution,” he explained to CoinDesk. “So you have a period where you blindly include transactions purely … based on whether they are paying a fee, and whether they are paying a high enough fee. If they do, they should be included. That's it.”

It’s obvious why this might be useful from an anti-MEV perspective: If block builders and searchers can’t see a transaction’s payload (meaning what is being paid out to whom), then they won’t have the information that they need to extract MEV. (How can you “front-run” a transaction if you don’t even know what it contains?)

As a side effect, shutterization could play a major role in preventing censorship. Validators and relays won’t know whether to censor a transaction if they can’t see its sender or recipient.

We won’t dive too deeply into the underlying mechanics of the shutterized Beacon Chain concept in this newsletter. Beyond being complicated, the idea hasn’t yet been fully fleshed out on an engineering level (though “shutter” concepts are being built out on Ethereum rollups and other blockchains).

Not so fast …

Köppelman says the shutterized Beacon Chain concept didn’t gain much attention when it was introduced in March. Partly, he thinks, it was because MEV-extractors – which account for a large portion of the Ethereum community – have profited handsomely from Ethereum’s unencrypted status quo.

When Köppelman re-pitched the idea around censorship after August’s Tornado Cash sanctions, though, it was received warmly by members of the Ethereum developer community. Some even took the idea further, suggesting that all transactions be shutterized (rather than making it optional, as suggested in the original proposal).

But questions remain: What if governments decide that processing transactions containing sanctioned addresses is illegal regardless of whether those transactions were encrypted when they were picked up by validators? Or what if regulators decide to treat shutterization like Tornado Cash – outlawing a shutterized Beacon Chain entirely?

Despite the recent enthusiasm around his idea, Köppelman noted in his conversation with CoinDesk that it’s not as if shutterization – or any engineering intervention – can ultimately “solve” Ethereum’s censorship problem.

“I think it's almost always possible, whatever the regulatory challenge is, to find an engineering solution to it. However, I also think that if you always try to find an engineering solution to it – at the end, Ethereum, and crypto, will become extremely niche,” Köppelman told CoinDesk.

To explain his point, Köppelman mentioned last week’s news that Hetzner, the cloud service provider that hosts 10% of Ethereum nodes, has banned all crypto-related activity.

“So, of course, now we can come up with an engineering solution that would say, ‘well, stake at home,’” Köppelman explained. “But next, internet service providers could block traffic that's related to [staking]. Again, you could come up with an engineering solution, but each time you lose a percentage of users. In the end, it becomes this kind of mammoth thing where three guys have a super engineered solution, but still, regulators and broader social consensus could try to force it out of the public.”

In the end, the fight against censorship continues offline – where it is likely to remain.

“I think ultimately, it's always a social kind of fight,” Köppelman reflected. “I don't want to just find ways to somehow be able to use Tornado; I want to make it socially acceptable to say that Tornado is a valuable thing.”

Pulse check

The following is an overview of network activity on the Ethereum Beacon Chain over the past week. For more information about the metrics featured in this section, check out our 101 explainer on Eth 2.0 metrics.

Disclaimer: All profits made from CoinDesk’s Eth 2.0 staking venture will be donated to a charity of the company’s choosing once transfers are enabled on the network.

Validated takes

Voyager Digital is attracting takeover interest, but Coinbase has withdrawn.

• WHY IT MATTERS: Binance and FTX are still interested in buying Voyager Digital’s assets. Bids for Voyager assets are due Sept. 6 in a sale process taking place through its bankruptcy case. Binance, FTX and Coinbase were not the only players interested. According to a presentation from Voyager’s lawyers, at least 22 investors had gone through due diligence and indicated their interest in buying Voyager’s assets. Read more here.

The SEC is probing Grayscale over the firm’s “securities law analysis” of XLM, ZEC, ZEN.

• WHY IT MATTERS: THE Securities and Exchange Commission staff from the Division of Corporate Finance as well as Enforcement was investigating trusts at the CoinDesk sister company containing the native cryptocurrencies of Stellar (XLM), Zcash (ZEC) and Horizen (ZEN). These coins combined made up less than 1% of Grayscale’s roughly $18.7 billion assets under management from funds and trusts. Read more here.

ENS DAO may lose its web address.

• WHY IT MATTERS: The Web3 domain name service cannot renew its web address because the only person with the authority to renew the domain, Virgil Griffith, is serving a 63-month prison sentence. ENS DAO’s eth.link website is currently an empty page with a green domain expiration notice banner. Khori Whittaker, the executive director of ENS, told CoinDesk, “Events like this ultimately show the importance of decentralized naming systems.” Read more here.

Factoid of the week

Open comms

Valid Points incorporates information and data about CoinDesk’s own Ethereum validator in weekly analysis. All profits made from this staking venture will be donated to a charity of our choosing once transfers are enabled on the network. For a full overview of the project, check out our announcement post.

You can verify the activity of the CoinDesk Eth 2.0 validator in real time through our public validator key, which is:

0xad7fef3b2350d220de3ae360c70d7f488926b6117e5f785a8995487c46d323ddad0f574fdcc50eeefec34ed9d2039ecb.

Search for it on any Eth 2.0 block explorer site.