First - thanks for getting us a concrete starting point. Penalties badly needed work and this hits most of my concerns.
I do have 2 big issues…
Allowing Locally Built Blocks
If we allow locally built blocks, we will attract thieves that are able to capture MEV. If they can match a searcher from an MEV relay, they would make about ~6% on 32 ETH, but only feed back about ~4% to rETH holders.
For an 8-ETH minipool with 14% commission
- an honest operator makes
8*.06+24*.06*.14=0.68 ETH per year
, and passes on 24*.06*.86=1.24 ETH per year
to rETH holders
- this dishonest operator would keep all MEV rewards, so they would make
(8*.04+24*.04*.14)+.02*32=1.09 ETH per year
and pass on 24*.04*.86=0.83 ETH per year
- The dishonest operator makes 60% more while rETH benefits only 67% as much
The dishonest operator is so successful that I predict if we freely allow locally built blocks, the protocol will be dominated by dishonest operators. This will make rETH underpeform and I suspect eventually kill the protocol entirely.
My suggestion:
- Require MEV boost, with a small list of allowed relays.
- Require no locally built blocks.
- That means that if no relay gets a block built, the NO should simply not propose.
- This is unfortunate, and a slight loss of profits when relays have issues, but I don’t see another viable method at this time.
Can't a dishonest NO run a searcher and send value to themselves using MEV boost?
Not really. The relay will take the highest bid. If the NO’s bid wins, that means it’s providing more value to rETH than rETH would get without that bid. In short - they’re helping, not stealing.
Relying only on RPL
Right now we support 16+1.6 minipools and 8+2.4 minipools. These start with 17.6/10.4 ETH worth of collateral and will have at least 16/8 ETH worth regardless of RPL price changes.
The proposal here would reduce that collateral to 1.6/2.4 with an option to reduce that to ~0/0 under extreme RPL price depreciation.
As I wrote about in https://github.com/Valdorff/rp-thoughts/tree/main/leb_safety, I judged that under high market conditions 1 in 70 4+2.8 minipools would benefit from stealing each year and that this would result in an ~8% drop on rETH yield. At 2.4 ETH worth of collateral, that would be ~1 in 42. At 1.6 ETH worth of collateral that would be ~1 in 21. Damage to rETH would be devastating in either of these cases if they played out.
Without forced exits, you need to rely on a massive buffer - maybe 30+ ETH worth of RPL across a node, and some amount scaling per minipool on top of that? I think this is a nonstarter.
If we had forced exits, we could do something like:
- Require 10 ETH worth of RPL across a node
- If you drop below 10 ETH worth, all of your minipools are force exited; a grace period would probably be ok
- This would dramatically increase how important it is to “top up” your RPL (though at the node level, with the minipool level staying as is)
- This would price out small operators
My suggestion:
-
Do write a clear spec that can be checked against for what will be penalized
- Use RPL penalties first, as that keeps ETH collateral intact
- Use ETH penalties if they are needed, so that we don’t need massive amounts of RPL
- Move towards making the penalty programmatic as that becomes possible – either set on chain or (if too gas expensive) challengeable on chain if incorrectly applied
Minor thoughts
Dynamic RPL Discount
The discount should be based on a starting discount and how long the sale has been open; this ensures that we always sell. This relies on at least one bot being “honest” (by which I mean taking the money for itself instead of colluding). That seems safe, especially if we make a bounty for an open source bot with instructions.
Minimum Penalty
As was mentioned - gas could be an issue in selling off small bits of RPL. The easiest solution is to simply enforce a minimum penalty, even when less is stolen. Maybe 0.25 ETH or something?
Settings
The theft tax, starting discount, and discount ramp rate should be pDAO settings so that no SC changes are needed to modify them if necessary.
Alternatives to 'no locally built blocks'
- We could penalize based off the max bid across all allow-listed relays for that slot
- This would actually allow vanilla blocks, just at a cost; in a fallback scenario you would simply pay that cost and hope it’s not a lottery block
- In combination with the above, we could allow appeals
- The penalty would be instantly applied, but the RPL would be escrowed briefly (eg for 3 days). In this time the user could appeal with evidence. If the evidence is convincing some group (oDAO or otherwise) would be able to remove the penalty. There should be a cost to a lost appeal to avoid griefing.