How Neo Eliminates Toxic MEV

Neo Founder Da Hongfei delves into Neo’s innovative solution for tackling the pervasive issue of toxic MEV in the blockchain industry.

12 min readFeb 28, 2024

Dear Neo Community,

I’m Da Hongfei, Neo’s Founder. Like you, I’m a learner and explorer within the vast blockchain landscape.

Thank you for your keen interest in the development of our new EVM-compatible sidechain, Neo X! As Neo X is currently in its Alpha version, undergoing testing by experienced developers, I’d like to shed light on one of its standout features — MEV resistance.

Both technical and governance considerations have driven the decision to implement MEV resistance in new Neo X. With this step, we aim to inspire insightful introspection and discussions within our community about the persistent issue of MEV.

As a starting point, I hope that this article will inspire many of you to join us in discussions–and even in substantial collaborations. Your perspectives are invaluable as we shape our future trajectory together.

Toxic Maximal Extractable Value (MEV) is a form of censorship

Toxic MEV serves as a form of censorship that harms the security, permissionlessness, and decentralization of the blockchain. Let’s take a look at the harm that toxic MEV causes to the industry, and the vast amount of revenue at stake.

How toxic MEV harms the blockchain ecosystem

MEV can be implemented in various forms. Some of these are just neutral transactions, such as DEX arbitrage, which aims to provide better liquidity to long-tail markets or liquidations for promoting lending protocol efficiency.

However, some MEV attacks are initiated by miners or validators who reorder transactions to capture additional value that is detected by censoring user transactions. This is an example of a form of MEV known as toxic MEV.

Some common examples of toxic MEV include:

Block Withholding: By intermittently holding back the publication of completed blocks, miners can manipulate the timing of transaction confirmations. Miners can use this technique to their benefit–especially when dealing with time-sensitive trades where a delay or anticipation of market movements can lead to substantial profits.
Time Bandit Attack: Miners may employ a “time bandit” attack, where they reorder transactions within a block to create favorable outcomes, particularly when interacting with predictable smart contract actions. By doing so, they exploit the deterministic nature of blockchain technology, aligning transactions to maximize financial advantages.
Front-running: Searchers use mempool-tracking bots to spot potentially profitable transactions and replace the address of them with their own address.
Sandwich attack: A common form of attack that combines front-running and back-running (placing a transaction immediately after the target transaction) is a sandwich attack, where orders are placed before and after a price-changing transaction.

(Front-running and sandwich attacks can be categorized as transaction reordering.)

Thus, toxic MEV is a term of censorship with implications for issues such as the types of transaction reordering that can affect the outcomes of decentralized finance (DeFi) transactions.

We at Neo see a need to eliminate toxic MEV because it makes transaction processing less fair and less efficient. This imperative has led us to the next big leap for Neo: the upcoming Neo EVM Sidechain, referred to in this article as the Neo Sidechain or Neo X. With Neo X now under development, Neo is stepping up to be the first blockchain to kick toxic MEV to the curb.

The toxic MEV industry causes massive losses

Due to the complex and ambiguous nature of MEV, there is not yet a standard measurement for how much revenue toxic MEV costs the industry or how much it causes users to lose. Yet it is clear that the losses are massive, and the industry must face and address the issue. Thus, to establish a baseline for discussion, we reviewed sources such as Chorus, Galaxy, Flashbots, Ethresear, and more and did some reasonable calculation on our own to estimate the size of losses caused by toxic MEV as follows:

On Ethereum alone, it is estimated that the revenue generated by toxic MEV in 2022 will be approximately $400M. It is relatively reasonable to roughly judge that the revenue from toxic MEV from historical accumulation to The Merge has been in the range of $900M to $1B.

The Total Addressable Market (TAM) for MEV, which is the calculable range, is estimated to be in the range of $300M to $900M. This primarily includes easily identifiable transactions such as sandwich attacks, arbitrage, and liquidations. (Data is sourced from Flashbots and Dune.)

But the actual losses caused by MEV are much higher. This is because the above estimate doesn’t capture the consequential long-tail effect of MEV that is happening with NFTs and in other DeFi applications. In an increasingly complex and competitive market, a sandwich attack (the simple combination of front-running and back-running) will not gain the player enough advantage over other MEV seekers. So the player will need to apply more delicately designed trading strategies, combining dozens of on-chain and off-chain transactions, to complete one strike of profitable MEV. As a result, these transactions, when separately considered, will not be seen as an action of MEV.

For example, off-chain hedging is untraceable, and multi-block MEV is difficult to identify. Chorus One, a node service provider, estimates that the actual cumulative profit from MEV transactions is around $1.9B, further breaking down the figures into good and toxic MEV. The estimated profit from good MEV, including arbitrage and liquidations, is approximately $713.95M, while the estimated profit from bad MEV, including sandwich attacks, is around $1206.11M. Therefore, we will consider the cumulative total income of bad MEV to be close to $1B.
Or, as another example of the estimated impact of MEV, the revenue from sandwich attacks stands at $1206.11 million. A sandwich attack is often viewed as unfavorable MEV. Most MEV-protected DEXes aim to control and democratize this profit share. In the 2021 bull market, the overall income ceiling was $476 million. Calculated at a conservative 10x PS, the total track scale is close to $5 billion.

This increase on Ethereum has slowed since the Merge. However, we at Neo believe that MEV revenue continues to grow on emerging new L1s and L2s.

Neo X will support MEV resistance via dBFT consensus and enveloped transactions

Neo aims to make Neo X the first blockchain to eliminate toxic MEV. In order to solve the problem systematically, Neo has categorized toxic MEV into two main categories:

In one of these categories, miners/validator/consensus nodes use their privileges, take advantage of the flaws in the consensus mechanism, and disturb the normal/regular block-producing process by delaying it or overthrowing the previous decision.
In the other category, miners/validator/consensus nodes produce the blocks in a seemingly righteous way, while in fact taking advantage of the “preview/peeking” rights and order transactions in their interest.

Neo X can address both of these categories of toxic MEV. For the first category, Neo’s dBFT consensus can eliminate the opportunity and the incentive for miners/validator/consensus node misconduct and jeopardize the block producing process from the root. For the second category, enveloping all transactions, making them unseeable to ones that process them, can ensure that the only option is to pack all transactions in a neutral and unbiased manner.

Let’s look further into the roles that dBFT consensus and enveloped transactions will play in this solution.

Neo X’s inherited dBFT consensus mechanism eliminates Time Bandit Attacks and Block Withholding

As one of the major blockchains with one-block finality, Neo inherently can prevent MEV attacks such as Time Bandit Attacks and Block Withholding. The new sidechain will inherit and benefit from this capability in the following ways:

Neo can finalize a block once it is generated. This means that attackers have no opportunity to rearrange the committed transactions to make a profit.
Further, every consensus node’s behavior is under the community’s review. If some nodes withhold a block too long, the other nodes will start a new consensus view and continue producing blocks. If some nodes withhold a block a little longer, the community can see this behavior and will punish it. If a node is rational, it will prefer long-term block rewards over short-term profit.

How Neo X can eliminate toxic MEV through enveloped transactions

As mentioned above, a specific category of toxic MEVs called transaction reordering, including front-running and sandwich attacks, is caused by transaction detection. To mitigate these types of toxic MEV, we must address the issue of transaction detection. More than 60% of all blocks on Ethereum are built through the Flashbot relay and therefore enforce censoring of user transactions.

A key strategy to address this issue involves preventing MEV searchers and block producers from accessing the details of transactions before they are confirmed in a block. Introducing the method of “enveloped transaction” to Neo means that even the block producer itself can not determine how much profit will be achieved by the transactions that they collected before these transactions are securely packed into the next block. This strategy also lowers the possibility of a consensus node performing Block Withholding.

To achieve MEV resistance, Neo X will keep the transactions enveloped until they are included in a block and ordered, and then to allow the consensus nodes to decrypt the transactions. A pivotal cryptographic tool called “threshold decryption” makes this possible. Further, we are employing Distributed Key Generation (DKG) to enable the secret key setup for threshold decryption.

The role of threshold decryption in constructing enveloped transactions

With the setup of DKG, each consensus node owns a partial private key, and all the consensus nodes own a single common public key. This allows users to encrypt their transactions with the common public key, preventing others from viewing the transaction content before the transaction is ordered in a new block. Then, each consensus node runs threshold decryption with its own partial private key, which cannot directly decrypt the raw transaction. To recover the whole raw transaction, there must be enough consensus nodes (no less than the threshold; larger than two thirds in practice) that each provide their own partially decrypted result.

To make transactions more fair and secure, the Neo Sidechain will allow repeated setup of new DKG keys. In practice, we require that a process of the previous DKG should be finished, and a new proposal for changing DKG keys be registered. Then the consensus nodes check whether the new proposal is valid, and allow the change of keys.

Moreover, to save GAS for users, we will still support traditional non-encrypted transactions that are insensitive to MEV. However, unencrypted transactions are always ordered after MEV-resistant transactions in each block.

In essence, DKG and threshold decryption serve as a robust privacy-preserving mechanism in blockchain networks. They ensure that even though individual consensus nodes hold only partial information about a transaction, the complete transaction data can be reconstructed securely only when a sufficient number of participating nodes cooperate. This thereby maintains the confidentiality and integrity of the blockchain ecosystem.

Neo X introduces an unique, innovative MEV-resistant solution without radically overhauling the protocol layer or compromising security and performance

Let’s now examine how Neo X can eliminate toxic MEV without compromising consensus security or mempool security.

Retaining the integrity of consensus security

It is important both to conceal the MEV-resistant transaction contents before the block confirmation, and reveal them after the block’s confirmation. While the content of transactions within a confirmed block is essential for the public blockchain, achieving this goal is not straightforward.

One approach to accomplish this could be to rely on someone to conceal and reveal the transactions within the consensus process. This is similar to Ethereum’s PoS-based Flashbots process, and it introduces a new trust model to a third party. As the third party supervises block production, if any node refuses to publish transactions after receiving sufficient votes, the block should be dropped, resulting in an empty slot. But if the entrusted third party intends to launch an MEV attack themselves, all efforts will be in vain. This makes it far from ideal to rely on any entity to reveal transaction details after the consensus step.
Another approach to addressing this issue involves the use of advanced tools, such as combining VRF (Verifiable Random Function) and ZKP (Zero-Knowledge Proof). This can allow users to generate a ZKP that proves their encrypted transaction, utilizing a VRF result, which will eventually become public. However, this approach needs careful consideration, as it could inadvertently expose transaction details before they are included in a block.

The dBFT consensus algorithm offers a better alternative. Because the dBFT consensus algorithm assumes that at most ⌈(n-1)/3⌉ nodes are malicious out of n nodes, integrating DKG into the final step of the dBFT process ensures that when ⌊(2n+1)/3⌋ confirmations are gathered (which means the block is confirmed), then ⌊(2n+1)/3⌋ DKG keys can also be collected simultaneously. This makes it possible to encrypt the transaction by revealing the consensus nodes’ DKG’s public key to others without having to worry about anyone attacking the transaction before it is packed into the block. Others can then reveal those transactions by using the ⌊(2n+1)/3⌋ DKG keys.

Neo X also alters the block’s structure so that all MEV-resistant transactions are packed at the front of the block, with non-MEV-resistant transactions packed thereafter. The non-MEV-resistant transactions will enjoy regular GAS fees, just as they do now on Neo N3, with no extra fees required for MEV-resistance. However, MEV-resistant transactions will have priority.

Retaining the integrity of mempool security

Ensuring the security of the mempool (which holds unconfirmed transactions) also is critical to the effort to eliminate toxic MEV. Neo X implements a dedicated mempool for MEV-resistant transactions, safeguarding regular transactions from any adverse effects. To mitigate potential issues such as DoS attacks and decryption failures for outdated MEV-resistant transactions, an additional check has been integrated into the new mempool.

Consider this now-common scenario:

MEV searcher A identifies an opportunity on the blockchain and submits tx1 with a gas price of 1 gwei.
Subsequently, MEV searcher B also recognizes the same opportunity and may submit tx2 with a gas price of 2 gwei to secure a spot.
This competitive dynamic could escalate with additional searchers, potentially causing chaos on the blockchain and displacing normal transactions.

In contrast, Neo X segregates MEV-resistant and ordinary transactions into different memory pools, ensuring that MEV-resistant transactions do not impact ordinary ones. While MEV-resistant transactions maintain their privacy in the mempool, they can establish a reasonable priority fee upfront without concerns about replacements by others.

If a consensus node deviates from this approach (e.g., consistently prioritizing someone’s transaction), any non-compliance can be identified and addressed using the power of dBFT. The community has the authority to vote out non-compliant nodes, guaranteeing the avoidance of harmful competition.

Introducing threshold encryption to address MEV resistance with high performance and security

In an industry-leading move, the design of Neo X seamlessly uses the dBFT process with threshold decryption, without large losses of performance. Decryption leads to longer delays for exchanging keys, but a few seconds of delay should not be a large problem.

Some BFT-based chains may quickly imitate our design, at the risk of introducing bugs into the consensus algorithm. Non-BFT chains would need a third party aggregator that receives a bulk of encrypted transactions, decrypts them, and sends the bulk to the final consensus as a whole. Because EVM chains cannot execute arbitrary multiple contract calls in a single transaction (without deploying a new contract), it can be too expensive for the third party to run threshold decryption. A more practical solution for most EVM chains is to run another side chain.

Threshold encryption/decryption is a classic cryptography tool with a long history standing (no later than 2010). But as far as we know, only Neo uses it for MEV resistance. Some ideas of using it in blockchains were proposed in papers in the 2020s, but the Neo research team hasn’t uncovered any industrial implementation to date.

Threshold encryption is an easy win against MEV and dramatically improves security. Looking forward, it could be possible to even provide an “overkill” level of redundant, additional security on Neo X by also implementing zero knowledge proof (ZKP), a step that is under consideration for the future.

Join us in building a new Neo Sidechain and a new path for the blockchain industry

The points reviewed here represent the essence of months of discernment and discussion at Neo about how we can build a sidechain that is not only EVM compatible, but also possesses killer features to serve the community and the larger goal of realizing the Smart Economy. I’m proud that with this next step for Neo, we are also leading the blockchain industry toward a significant jump forward in overall security and performance.

As we at Neo forge our thoughts and goals for the Neo X into reality, we invite and value your input — be it suggestions, insights, or constructive criticism. We welcome you to reach out to us on Twitter or in our Discord group to share your perspectives. As always, Neo is a community-driven blockchain, and your engagement propels us forward.

–Da Hongfei

About Neo

Founded in 2014, Neo is an open-source, community-driven blockchain platform designed to welcome developers into the Smart Economy. By enabling developers to digitize and automate the management of assets through smart contracts, Neo is built to realize the optimized digital world of the future. As the most developer-friendly blockchain, Neo meets developers where they are by integrating seamlessly with the world’s most widely used languages and tools and providing the most feature-complete blockchain platform for building full-stack decentralized applications. With native support for powerful infrastructure including decentralized storage, oracles, and domain name service, Neo is the ideal foundation for developers to build the next generation Internet.